EU Data Mining Scheme Fails Constitution Test

(CN) – A data mining directive passed by European lawmakers violates the very essence of the EU constitution through its scope and breadth, an adviser to the Court of Justice found Thursday. Passed by both houses of the EU legislature in 2006, the law requires providers of telephone and electronic communications to collect traffic and location data – but not content – and retain the information for two years. Lawmakers claimed the directive “harmonized” communication data retention across the EU, since it tasked member states with ensuring communication companies collected, kept and then dumped the data in question. But digital privacy watchdog groups – like Digital Rights Ireland in this case – say the scheme undermines previous laws which gave greater protection of personal data to EU citizens, all in the name of surveillance. In his opinion for the Court of Justice of the European Union, Advocate General Pedro Cruz Villalon agreed. “It must not be overlooked that the vague feeling of surveillance which implementation of the directive may cause is capable of having a decisive influence on the exercise by European citizens of their freedom of expression and information and that an interference with the right guaranteed by the EU Charter therefore could well also be found to exist,” Villalon wrote. And although the law expressly excludes collecting the content of people’s communications, what it does authorize draws a decent map of an individual’s private life. A map that can be later studied and traced by the authorities even years later, according to the adviser. “The fact remains that the collection and, above all, the retention in huge databases of the large quantities of data generated or processed in connection with most of the everyday electronic communications of citizens of the EU constitute a serious interference with the privacy of those individuals, even if they only establish the conditions allowing retrospective scrutiny of their personal and professional activities,” Villalon wrote. “The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, nonetheless constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period.” He continued: “The intensity of that interference is exacerbated by factors which increase the risk that, notwithstanding the obligations imposed by the law both on the member states themselves and on providers of electronic communications services, the retained data might be used for unlawful purposes which are potentially detrimental to privacy or more broadly, fraudulent or even malicious. Indeed, the data are not retained by the public authorities themselves or even under their direct control, but by the providers of electronic communications services themselves, upon which most of the obligations guaranteeing data protection and security are imposed.” By passing the responsibility for collecting and controlling the data first to member states and ultimately to communications providers, EU lawmakers shirk their own duty to protect the privacy of the citizens, according to the adviser. Villalon acknowledged that the ultimate objective – serious crime prevention – is legitimate. But that legitimacy fails to overcome the constitutional hurdles of the law, namely the administrative burden to member states and its unnecessarily long retention schedule, without a more precise definition of “serious crime,” he said. However, the adviser suggested that the high court give lawmakers an opportunity to fix its constitutional deficiencies before suspending the law entirely. “In cases in which the finding that an act of the European Union is invalid is based on an infringement of fundamental rights, the various interests involved must be very carefully weighed up,” Villalon wrote. “In the present instance, the relevance and even urgency of the ultimate objectives of the limitation on fundamental rights at issue are, on the one hand, not in doubt. The findings of invalidity, on the other hand, are of a very particular nature. First, the directive is invalid as a result of the absence of sufficient regulation of the guarantees governing access to the data collected and retained and their use (quality of the law), an absence which nevertheless may have been corrected in the implementing measures adopted by the member states. Secondly, the member states have, in general, as is apparent from the information provided to the court, exercised their powers with moderation with respect to the maximum period of data retention. “It is appropriate in those circumstances to suspend the effects of the finding that the law is invalid pending adoption by the European Union legislature of the measures necessary to remedy the invalidity found to exist, but such measures must be adopted within a reasonable period,” Villalon concluded.